github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 15:48:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

Gateway: harden cron.runs jobId path handling (openclaw#24038) thanks @Takhoffman

Browse Source 
Verified:
- pnpm install --frozen-lockfile
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: Takhoffman <781889+Takhoffman@users.noreply.github.com>
Co-authored-by: Tak Hoffman <781889+Takhoffman@users.noreply.github.com>
This commit is contained in:
Tak Hoffman
2026-02-22 19:35:26 -06:00
committed by GitHub
parent 45febecf2a
commit 259d863353
6 changed files with 79 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/gateway/protocol/cron-validators.test.ts
View File

@@ -46,4 +46,11 @@ describe("cron protocol validators", () => {
expect(validateCronRunsParams({ id: "job-1", limit: 0 })).toBe(false);
expect(validateCronRunsParams({ jobId: "job-2", limit: 0 })).toBe(false);
});
it("rejects cron.runs path traversal ids", () => {
expect(validateCronRunsParams({ id: "../job-1" })).toBe(false);
expect(validateCronRunsParams({ id: "nested/job-1" })).toBe(false);
expect(validateCronRunsParams({ jobId: "..\\job-2" })).toBe(false);
expect(validateCronRunsParams({ jobId: "nested\\job-2" })).toBe(false);
});
});

27
src/gateway/protocol/schema/cron.ts
View File

@@ -59,6 +59,31 @@ function cronIdOrJobIdParams(extraFields: Record<string, TSchema>) {
]);
}
const CronRunLogJobIdSchema = Type.String({
minLength: 1,
// Prevent path traversal via separators in cron.runs id/jobId.
pattern: "^[^/\\\\]+$",
});
function cronRunsIdOrJobIdParams(extraFields: Record<string, TSchema>) {
return Type.Union([
Type.Object(
{
id: CronRunLogJobIdSchema,
...extraFields,
},
{ additionalProperties: false },
),
Type.Object(
{
jobId: CronRunLogJobIdSchema,
...extraFields,
},
{ additionalProperties: false },
),
]);
}
export const CronScheduleSchema = Type.Union([
Type.Object(
{
@@ -241,7 +266,7 @@ export const CronRunParamsSchema = cronIdOrJobIdParams({
mode: Type.Optional(Type.Union([Type.Literal("due"), Type.Literal("force")])),
});
export const CronRunsParamsSchema = cronIdOrJobIdParams({
export const CronRunsParamsSchema = cronRunsIdOrJobIdParams({
limit: Type.Optional(Type.Integer({ minimum: 1, maximum: 5000 })),
});